From: "J. Bruce Fields" Subject: Re: Kerberos authentication Problem with nfs3/4 Date: Mon, 20 Oct 2008 14:48:00 -0400 Message-ID: <20081020184800.GB25796@fieldses.org> References: <23D48171-03B8-4E14-B56C-081CF004D625@it-loops.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-nfs@vger.kernel.org To: Guntsche Michael Return-path: Received: from mail.fieldses.org ([66.93.2.214]:55102 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754843AbYJTSsC (ORCPT ); Mon, 20 Oct 2008 14:48:02 -0400 In-Reply-To: <23D48171-03B8-4E14-B56C-081CF004D625-Z92qn3yYq0hWk0Htik3J/w@public.gmane.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Sat, Oct 18, 2008 at 02:57:08PM +0200, Guntsche Michael wrote: > I had my kerberised NFS4 and NFS3 setup running in test mode up to the > end of April. > After seeing that there have been changes made to the recent code to > make NFS3+Kerberos working without sec=sys I tried to mount my exports > again with kerberos auth enabled. > > But for some reason the setup is no longer working. My KDC has not > changed at all, and I did not change a thing in my NFS config as well. > > My current setup: > Server running 2.6.27 > nfs-utils 1.1.3 from debian. I think the blame is actually due to libnfsidmap. If you downgrade that, does it work again? Alternatively, it could probably also be fixed with changes to your /etc/idmapd.conf or with the latest libnfsidmap from git://git.linux-nfs.org/projects/kwc/libnfsidmap.git. --b. > > klist -k from the server: > ========================= > > --- > -------------------------------------------------------------------------- > 3 nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32) > 4 host/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (Triple DES cbc mode with HMAC/ > sha1) > 4 host/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32) > 4 imap/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (Triple DES cbc mode with HMAC/ > sha1) > 4 imap/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org (DES cbc mode with CRC-32) > > > For testing purposes I tried mounting the export from the server itself > which also did not work. > > > exports: > ======== > > /srv/nfs4 > *(sec=krb5:sys,rw,async,fsid=0,insecure,crossmnt,no_subtree_check) > /srv/nfs4/media > *(sec=krb5:sys,rw,async,insecure,crossmnt,no_subtree_check) > > > Mount command from the server to itself (sec=sys works): > ======================================================== > > mount -t nfs4 -osec=krb5 gibson:/media/ /mnt > > > rpc.gssd -vv -f: > ================ > > beginning poll > handling krb5 upcall > Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at' > Full hostname for 'gibson.comsick.at' is 'gibson.comsick.at' > Key table entry not found while getting keytab entry for > 'root/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org' > Success getting keytab entry for 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org' > Successfully obtained machine credentials for principal > 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org' stored in ccache > 'FILE:/tmp/krb5cc_machine_COMSICK.AT' > INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_COMSICK.AT' are good > until 1224370141 > using FILE:/tmp/krb5cc_machine_COMSICK.AT as credentials cache for > machine creds > using environment variable to select krb5 ccache FILE:/tmp/ > krb5cc_machine_COMSICK.AT > creating context using fsuid 0 (save_uid 0) > creating tcp client for server gibson.comsick.at > creating context with server nfs-F/bOXVQdVXiG9iZHpwcNGF6hYfS7NtTn@public.gmane.org > WARNING: Failed to create krb5 context for user with uid 0 for server > gibson.comsick.at > WARNING: Failed to create krb5 context for user with uid 0 with > credentials cache FILE:/tmp/krb5cc_machine_COMSICK.AT for server > gibson.comsick.at > WARNING: Failed to create krb5 context for user with uid 0 with any > credentials cache for server gibson.comsick.at > doing error downcall > Failed to write error downcall! > destroying client clntbe > destroying client clntbd > > > rpc.svcgsdd -vvf: > ================= > > leaving poll > handling null request > sname = nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org > WARNING: get_ids: failed to map name 'nfs/gibson.comsick.at-tv3pJBznBAdW35wihSpRnA@public.gmane.org' > to uid/gid: Invalid argument > sending null reply > writing message: \x > \x608201fb06092a864886f71201020201006e8201ea308201e6a003020105a10302010e > a20703050020000000a3820116618201123082010ea003020105a10c1b0a434f4d5349434b2e4154a2233021a003020103a11a30181b036e66731b11676962736f6e2e636f6d7369636b2e6174a381d33081d0a003020101a103020103a281c30481c02e9b04122fe2e7937374adb7e455e90285dc15d51bcfbe4898a7fba45ea1026d4ce1620646c7dd3286b9878fa7a4f8f31922879ffb70e6ba6c726e9685aad92fd7c19264e1f98364b04d7add847749d655c30a11d15f7d7297f77a9e8c8d4c1d20d08e3747c098eaf18627802cf878955ef5ccec35fe6505d86f15068dee067795ee5909a1a16705873981838b56423023668ba5a291e9281ae41ec4b82d343918a20046e8e7df62bf50b337f528d109fa410e4f6eff378060bac51a50902789a481b63081b3a003020101a281ab0481a855ca1c7e0a3ac10779318f985d3bbb0ef843bd01601019226611c1e6817b461002be334966b1dcc1dc2aaaeb70269b50fdaa6941fc3d898cda478b17b9080b3340f9818470bd7d9bd21fbad3586f422551eff5be7a582cc1a04633 8a4f47a228d17967c623165415059297e0b1966baa303ee37c51d949b27c5af830bbd579ddbed86d06653b4bd74a9601f83cf61fb730bd5275ddc48b9740734d07afe20344681cbaa3e0f5287a > 2147483647 131072 0 \x \x > finished handling null request > entering poll > > the mount command returns with > > mount.nfs4: access denied by server while mounting gibson:/media/ > > I tried downgrading the kerberos server and also the nfs-utils version. I > also tried it with an older kernel version (2.6.25) but the result was > the same. All other kerberos stuff (ssh, imap) is working so I think it > has something to to with the nfs setup here. > > > > As you can see the nfs entry is there too. > > > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html